CVE-2026-57997
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
The Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.
Risk Assessment
The organization is at risk of unauthorized access to the Strapi system via forged JWT tokens, potentially leading to account takeover and privilege escalation.
Recommendation
Explicitly configure the plugin::users-permissions.jwt.algorithm parameter to a secure algorithm (e.g., RS256) and update the users-permissions plugin to the latest patched version.
Original NVD description (English source)
Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.

